Splunk Search

Error using lookup command

Janani_Krish
Path Finder

I am running the below query,
sourcetype="email" | rename SenderAddress as indicator |lookup tci indicator output type,rating|where isnotnull(type)|dedup indicator|table indicator FromIP rating  type 

It all works fine except if I add a field named attrib.val or tag.name like below
sourcetype="email" | rename SenderAddress as indicator |lookup tci indicator output type,rating,tag.name|where isnotnull(type)|dedup indicator|table indicator FromIP rating  type tag.name

It throws error like,
Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.

But actually I have a field named tag.name in tci lookup. I suspect if it is because of"." in the field names.
Kindly suggest.

Labels (1)
Tags (1)
0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Fields containing dots should not cause any problem. It works in 8.x.

Provide output field in double-quotes.

sourcetype="email" | rename SenderAddress as indicator | lookup tci indicator output type, rating, "tag.name"

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma

Janani_Krish
Path Finder

Hi @manjunathmeti 

I tried like below,
sourcetype="email*" | rename SenderAddress as indicator |lookup tci indicator output type,"tag.name" as tag|where isnotnull(type)|dedup indicator|table indicator tag

Even this is returning the error,
Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Try to run the query with CSV file directly. If it works then check the definition for lookup tci and see if proper CSV file is configured to it.

sourcetype="email*" | rename SenderAddress as indicator | lookup tci_filename.csv indicator OUTPUT type, "tag.name" as tag
0 Karma

Janani_Krish
Path Finder

Hi @manjunathmeti 
The lookup tci is of type KV store and not file type.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

I am not sure if the lookup command on KVstore collection supports fields with dotted notation. Try this:

 

sourcetype="email*" | rename SenderAddress as indicator | append [| inputlookup tci | rename "tag.name" as tag | fields type, tag, indicator] | stats latest(*) as * by indicator

 

0 Karma

Janani_Krish
Path Finder

Hi @manjunathmeti 

If I give subsearch I am getting truncated results since my lookup and sourcetype have heavy results. Thats the reason I decided to move to lookup command,

Also I looked into definition of tci lookup where I could see in supported field column it is, "tag".
So I ran the query as below,
sourcetype="ms:o365*" | rename SenderAddress as indicator |lookup tci indicator output type,rating,tag|where isnotnull(type)|dedup indicator|table indicator tag

Now I am not getting any error, but my tag column is empty.

Then I tried running the below query without renaming tag.name field since tag field was supported in earlier query,
|inputlookup tci|search indicator="*"|table indicator tag

Here it says, No matching fields exist.

0 Karma

Janani_Krish
Path Finder

Hi @manjunathmeti 

My case is same as described in post suggested by you, 
https://community.splunk.com/t5/All-Apps-and-Add-ons/Lookup-command-doesn-t-support-dot-notation-in-...

The field itself is mentioned only "tag" in definition. PFB the image,

Janani_Krish_0-1614934573751.png

 

But when I run |inputlookup tci|search indicator="*" the results are like below with tag.name field,

Janani_Krish_1-1614934573325.png
Also I tried,
sourcetype="email*"|lookup tci indicator output type,rating,tag as tag.name|where isnotnull(type)|dedup indicator|table indicator  tag.name

Still getting empty field.

Is there any other way where I can rename my field manually except getting into lookup definitions.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...